diff --git a/barbican/common/policies/orders.py b/barbican/common/policies/orders.py
index e034e0b9b..f0580f00a 100644
--- a/barbican/common/policies/orders.py
+++ b/barbican/common/policies/orders.py
@@ -12,12 +12,13 @@
 
 from oslo_policy import policy
 
+_MEMBER = "role:member"
 
 rules = [
     policy.DocumentedRuleDefault(
         name='orders:get',
-        check_str='rule:all_but_audit',
-        scope_types=[],
+        check_str=f'rule:all_but_audit or {_MEMBER}',
+        scope_types=['project'],
         description='Gets list of all orders associated with a project.',
         operations=[
             {
@@ -28,8 +29,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='orders:post',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
         description='Creates an order.',
         operations=[
             {
@@ -40,8 +41,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='orders:put',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
         description='Unsupported method for the orders API.',
         operations=[
             {
@@ -52,8 +53,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='order:get',
-        check_str='rule:all_users',
-        scope_types=[],
+        check_str=f'rule:all_users or {_MEMBER}',
+        scope_types=['project'],
         description='Retrieves an orders metadata.',
         operations=[
             {
@@ -64,8 +65,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='order:delete',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'rule:admin or {_MEMBER}',
+        scope_types=['project'],
         description='Deletes an order.',
         operations=[
             {
diff --git a/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml
new file mode 100644
index 000000000..0f23bc9e4
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Implement secure-rbac for orders resource.
+security:
+  - |
+    The current policy allows all users except those with the audit role to
+    list orders or retrieve an orders metadata.  The new desired policy will
+    restrict this to members.  For backwards compatibility, the old policies
+    remain in effect, but they are deprecated and will be removed in future,
+    leaving the more restrictive new policy.
+  - |
+    The new secure-rbac policy allows for secret deletion by members.  This is
+    a change from the previous policy that only allowed deletion by the
+    project admin.